[Openswan Users] When IPSec tunnel up, cannot communicate with local LAN

Patrick Naubert patrickn at xelerance.com
Wed Oct 1 11:29:44 EDT 2014 

Rescued from the Spam bucket.  Please remember to subscribe to the mailing list before posting to it.

From: "Peter McGill" <petermcgill at goco.net>
Subject: When IPSec tunnel up, cannot communicate with local LAN
Date: October 1, 2014 at 10:56:55 AM GMT-4
To: <users at lists.openswan.org>


I’m running on Debian Wheezy (Current Stable).
When  I stop openswan (service ipsec stop).
I can ping and communicate with the local LAN 172.21.2.0/24
When I start openswan (service ipsec start).
I can ping the remote LAN but not the local LAN.
The remote LAN and local LAN can communicate (through the openswan server).
But the openswan server cannot communicate with the local LAN.
It’s not firewall related, it happens without any iptables rules.
 
I’ve had similar configurations working in the past and I’m puzzled…
 
/etc/ipsec.conf:
version 2.0
config setup
        oe=off
        protostack=netkey
 
conn goco
        ike=aes128-sha1-modp1536
        esp=aes128-sha1
        left=162.53.19.209
        leftsubnet=172.21.2.0/24
        leftsourceip=172.21.2.1
        right=207.223.232.56
        rightsubnet=172.21.0.0/20
        dpddelay=30
        dpdtimeout=120
        dpdaction=restart
        authby=secret
        auto=start
 
root at lark:~# service ipsec stop
ipsec_setup: Stopping Openswan IPsec...
root at lark:~# ip route show
default via 162.53.19.1 dev eth0
10.176.0.0/18 dev eth1  proto kernel  scope link  src 10.176.2.57
10.176.0.0/12 via 10.176.0.1 dev eth1
10.208.0.0/12 via 10.176.0.1 dev eth1
162.53.19.0/24 dev eth0  proto kernel  scope link  src 162.53.19.209
172.21.2.0/24 dev eth2  proto kernel  scope link  src 172.21.2.1
root at lark:~# ping 172.21.2.2
PING 172.21.2.2 (172.21.2.2) 56(84) bytes of data.
64 bytes from 172.21.2.2: icmp_req=1 ttl=64 time=3.88 ms
64 bytes from 172.21.2.2: icmp_req=2 ttl=64 time=0.825 ms
64 bytes from 172.21.2.2: icmp_req=3 ttl=64 time=0.498 ms
64 bytes from 172.21.2.2: icmp_req=4 ttl=64 time=0.548 ms
^C
--- 172.21.2.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3002ms
rtt min/avg/max/mdev = 0.498/1.438/3.882/1.416 ms
 
root at lark:~# service ipsec start
ipsec_setup: Starting Openswan IPsec U2.6.37/K3.2.0-4-amd64...
root at lark:~# ip route show
default via 162.53.19.1 dev eth0
10.176.0.0/18 dev eth1  proto kernel  scope link  src 10.176.2.57
10.176.0.0/12 via 10.176.0.1 dev eth1
10.208.0.0/12 via 10.176.0.1 dev eth1
162.53.19.0/24 dev eth0  proto kernel  scope link  src 162.53.19.209
172.21.0.0/20 dev eth0  scope link  src 172.21.2.1
172.21.2.0/24 dev eth2  proto kernel  scope link  src 172.21.2.1
root at lark:~# ping 172.21.1.32
PING 172.21.1.32 (172.21.1.32) 56(84) bytes of data.
64 bytes from 172.21.1.32: icmp_req=1 ttl=127 time=35.9 ms
64 bytes from 172.21.1.32: icmp_req=2 ttl=127 time=35.0 ms
64 bytes from 172.21.1.32: icmp_req=3 ttl=127 time=48.2 ms
^C
--- 172.21.1.32 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 35.015/39.735/48.267/6.048 ms
root at lark:~# ping 172.21.2.2
PING 172.21.2.2 (172.21.2.2) 56(84) bytes of data.
^C
--- 172.21.2.2 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2015ms
root at lark:~# tail /var/log/syslog
Oct  1 10:37:39 lark kernel: [81702.608446] martian source 172.21.2.2 from 172.21.2.1, on dev eth0
Oct  1 10:37:39 lark kernel: [81702.608449] ll header: bc:76:4e:20:00:a2:84:78:ac:57:15:c1:08:00
 
It appears that the server is trying to route the local LAN packet out the tunnel.
But I have no idea why, the route’s look ok, the most specific route goes to the local LAN (eth2).
 
 
Peter McGill
Systems Analyst and Administrator
Gra Ham Energy Limited
519-284-3420 x204

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20141001/f6a1272d/attachment.html>

More information about the Users mailing list